Please help me with this system security log


I was poking around on my computer tonight and found this system log. Actually there were five or six events that occurred around this same time. That would be at 3:16:47 AM this morning while everyone in our house was sound asleep. We have a wireless router, but it is encrypted. We are more security aware than most people but we could be infected.  Please see the log below. Thank you!


Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/5/2010 3:16:47 AM
Event ID:      5061
Task Category: System Integrity
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      MikeAdams
Description:
Cryptographic operation.

Subject:
      Security ID:            LOCAL SERVICE
      Account Name:            LOCAL SERVICE
      Account Domain:            NT AUTHORITY
      Logon ID:            0x3e5

Cryptographic Parameters:
      Provider Name:      Microsoft Software Key Storage Provider
      Algorithm Name:      RSA
      Key Name:      eff52a01-bafe-4aa3-9fce-427b8febfdc3
      Key Type:      Machine key.

Cryptographic Operation:
      Operation:      Open Key.
      Return Code:      0x0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>5061</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12290</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2010-04-05T08:16:47.036717100Z" />
    <EventRecordID>5703</EventRecordID>
    <Correlation />
    <Execution ProcessID="600" ThreadID="5428" />
    <Channel>Security</Channel>
    <Computer>MikeAdams</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-19</Data>
    <Data Name="SubjectUserName">LOCAL SERVICE</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e5</Data>
    <Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
    <Data Name="AlgorithmName">RSA</Data>
    <Data Name="KeyName">eff52a01-bafe-4aa3-9fce-427b8febfdc3</Data>
    <Data Name="KeyType">%%2499</Data>
    <Data Name="Operation">%%2480</Data>
    <Data Name="ReturnCode">0x0</Data>
  </EventData>
</Event>
LVL 1
SMPCAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

slemmesmiCommented:
Dear SMPC,

this event originates from the Security Auditing running on your computer(s).
It reflect a successful audit event, of a local service opening the computer (machine) key.
From this event it is not possible conclude whether a rogue local service is running, but it is my doubt.
You can read more about this event on many www.technet.com pages, but I find the following most valuable:
http://support.microsoft.com/kb/977519

E.g. if you desire to drill further into the specific event, check out the reference to wevtutil

Kind regards,
Soren
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SMPCAuthor Commented:
Thank you Soren. I will view the suggested pages and read them. I knew it was a cryptographic event and that is what concerned me. What would my computer be doing at 0316 hours without any human at the keyboard when the system was supposed to be asleep? Perhaps it was only getting an update?
 
Thanks you once more,
 
Mike
0
slemmesmiCommented:
Dear Mike,

your computer is doing plenty even when an interactive user is not logged on (even at 0316).
As you suggest, it could be checking for updates (e.g. for Windows/Microsoft Update), perfomance collections, renewing IP, services (such as IIS) may be installed and running on the computer, "housekeeping", and so forth.
You may find more by looking into the SystemLog and ApplicationLog of the EventLog, looking at what (else) was taking place at 0316.

Kind regards,
Soren
0
SMPCAuthor Commented:
Thank you! We feel better. Mike
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.